Independent MLA Thomas Dang admits he used basic encryption tools — and the premier’s birthdate — to hack Alberta’s COVID-19 vaccine records website last year.
On his website Tuesday, the MLA for Edmonton-South described the events that prompted his departure from the NDP caucus and made him the subject of an ongoing RCMP investigation.
“As an MLA, I believed I had an obligation to verify if such a negligent vulnerability could exist,” Dang wrote in a report titled How I Did It.
“In conducting this test, I was acting in the public interest and within my role as an MLA.”
Dang said he accessed a stranger’s COVID-19 vaccination records but immediately informed a member of the NDP caucus staff that the site’s security was compromised. The caucus staffer relayed the information to the government, Dang said.
RCMP executed a search warrant at Dang’s home in December. An investigation — led by the Alberta RCMP Cybercrime Investigative Team — is ongoing, RCMP spokesperson Fraser Logan told CBC on Tuesday.
No charges have been laid, Logan said.
CBC News has requested comment from Alberta Health and the NDP.
Dang, who resigned from the NDP caucus in December after the RCMP searched his home, said the breach shows that Alberta’s information technology (IT) infrastructure is vulnerable.
He’s calling on the province to establish new protocols — and a new digital security office — to better protect its IT systems from cyber attacks.
‘Risk of malicious use’
“It is a matter of fact that the government of Alberta released a website in 2021 that exposed the private health-care information of Albertans to an unnecessary risk of malicious use,” Dang wrote in his report.
“Once I had proved it, I provided the government with the information required to fix it. Other actors with ill intent and with more time, expertise and resources had access to the vulnerability for nearly two weeks.”
Dang, who has a background in cybersecurity and computer science, said he orchestrated the breach soon after Alberta’s vaccine records website launched last September.
The site allowed Albertans to download their vaccine records as unlocked PDFs, leading to concerns the documents could be easily forged.
The problem with the PDF documents got fixed but Dang said he received a complaint from a member of the public who was concerned about a different weakness in the system.
“The website appeared to lack security features that would prevent a malicious attacker from scraping the website for the personal health information of Albertans,” Dang wrote.
Dang said he first tried to hack the system by punching in random dates and health numbers.
After five attempts, his internet protocol (IP) address was shut down. Dang said he was able to bypass the block using a widely available program — or script — that scrambled his IP address.
He then began using his own information to test the site, but later decided to use Premier Jason Kenney’s birth and vaccination dates instead, as Kenney’s information was public and could be verified by government officials if a breach was found.
He said he spent about two hours writing an automated program to test the system. He said he was able to retrieve the record of a person who shared Kenney’s birthday and had received a vaccine in the same month as the premier.
“As soon as I was aware that a record had been found, I immediately stopped the script. I then verified that the record was valid by requesting the record from the website,” Dang wrote.
“When I saw that the record belonged to an individual that was not the premier and was also unknown to me, I immediately exited the website and did not save any information.”
Dang said he alerted NDP caucus staff. A caucus staffer told Alberta Health about the breach, he said.
Within a week, Dang said, the province released a new version of the website that fixed the flaw he had identified.
NDP Leader Rachel Notley announced Dang’s resignation from caucus in December, citing the RCMP investigation. Notley said the probe was related to a breach of the Alberta Health COVID records website.
On his website Tuesday, Dang said he plans to table a private member’s bill to establish a new office focusing on the security and defence of Alberta’s digital infrastructure.
“If the government of Alberta does not act quickly to solve this, Albertans will not be able to trust that their personal information will be held secure, and that public systems, programs, and digital infrastructure can withstand a real-world attack.”
He said he is co-operating with the RCMP investigation and remains hopeful that charges will not be laid.